b'Report No. D-2008-091         May 13, 2008\n\n\n\n\n            General Controls of the\n           Capital Asset Management\n           System-Military Equipment\n\x0c   Additional Copies\n\n   To obtain additional copies of this report, visit the Web site of the Department of\n   Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n   Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n   (703) 604-8932.\n\n   Suggestions for Future Audits\n\n   To suggest ideas for or to request future audits, contact the Office of the Deputy\n   Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n   604-8932. Ideas and requests can also be mailed to:\n\n                        ODIG-AUD (ATTN: Audit Suggestions)\n                        Department of Defense Inspector General\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nCAMS-ME              Capital Asset Management System\xe2\x80\x93Military Equipment\nCOOP                 Continuity of Operations Plan\nDFAS                 Defense Finance and Accounting Service\nDISA                 Defense Information Systems Agency\nDITSCAP              DoD Information Technology Security Certification and\n                        Accreditation Process\nOATS                 Ogden Asset Tracking System\nIG                   Inspector General\nP&E                  Property and Equipment\nSAP                  Systems, Applications, and Products in Data Processing\nSSAA                 System Software Authorization Agreement\nSSC San Diego        Space and Naval Warfare Systems Center San Diego, California\n\x0c                              INSPECTOR GENERAL\n                             DEPARTMENT OF DEFENSE\n                             400 ARMY NAVY DRIVE\n                        ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                              May 13,2008\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n                 TECHNOLOGY, AND LOGISTICS/ACQUISITION\n                 RESOURCES AND ANALYSIS\n               DIRECfOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT: General Controls of the Capital Asset Management System-Military\n         Equipment (Report No. D-2008-091)\n\n\n       We arc providing this report for review and comment. We considered comments\nfrom the Director, Acquisition Resources and Analysis and Director, Defense lnfannalien\nSystems Agency when preparing the final report.\n\n        000 Directive 7650.3 requires that all recommendations be resolved promptly.\nThe Director, Acquisition Resources and Analysis comments were partially responsive.\nWe request additional comments on Recommendations B.I. and F.l.c. As a result of new\nDoD certification and accreditation guidance and management comments, we deleted\nRecommendation A.2. Therefore, we request that the Under Secretary of Defense for\nAcquisition, Technology, and Logistics/Acquisition Resources and Analysis provide a\ncorrective action and completion date for Recommendation B.I. and a completion date\nfor Recommendation F.I.c. by June 13.2008. See findings B and F for the specific\nmanagement comments required.\n\n        If possible, please send management comments in electronic fonnat (Adobe\nAcrobat file only) to audclev@dodig.mil. Copies of the management comments must\ncontain the actual signature of the authorizing official. We cannot accept the I Signed I\nsymbol in place oflhe actual signature. If you arrange to send classified comments\nelectronically, they must be sent over the SECRET Internet Protocol Router Network\n(SIPRNET).\n\n        We appreciate the courtesies extended to the audit staff. Questions should be\ndirected to Mr. Edward A. Blair (216) 706-0074 eXlension 226 or Mr. Gregory M.\nMennelti (216) 706-0074 extension 267. See Appendix B for Ihe report distribution. The\nteam members arc listed inside the back cover.\n\n\n\n                                 A~                 {{ m~Jv\n                                Patricia A. Marsh, CPA\n                              Assistant Inspector General\n                           Defense Financial Auditing Service\n\x0c\x0c                    Department of Defense Office of Inspector General\nReport No. D 2008-091                                                                      May 13, 2008\n      (Project No. D2007-D000FN-0124.000)\n\n                        The General Controls of the Capital Asset\n                        Management System-Military Equipment\n\n                                        Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who manage and use the\nCapital Asset Management System-Military Equipment will be interested in this report.\nDoD information system program managers and personnel involved in information\nassurance may also find the report useful. It discusses whether the Capital Asset\nManagement System-Military Equipment\xe2\x80\x99s general controls were adequately designed\nand operating effectively.\n\nBackground. The Capital Asset Management System-Military Equipment is the\nmid-term information technology solution \xe2\x88\x97 implemented by the DoD to process and\nreport military equipment financial data. Military equipment accounts for three-fourths\nof DoD General Property, Plant, and Equipment, the line item with the greatest dollar\namounts on the balance sheet.\n\nThis audit focused on the general controls, which includes:\n\n                    \xe2\x80\xa2   security program planning and management,\n\n                    \xe2\x80\xa2   access controls,\n\n                    \xe2\x80\xa2   application development and change controls,\n\n                    \xe2\x80\xa2   system software,\n\n                    \xe2\x80\xa2   segregation of duties, and\n\n                    \xe2\x80\xa2   service continuity controls.\n\nThe Office of the Under Secretary of Defense for Acquisition, Technology, and\nLogistics/Acquisition Resources and Analysis is the program sponsor for the Capital\nAsset Management System-Military Equipment; Space and Naval Warfare Systems\nCenter, San Diego, California, is the program management office and is responsible for\ndevelopment including the technical configuration of the application. The Defense\nInformation Systems Agency, Ogden, Utah, maintains the hardware and operating\nsystem; the Defense Finance and Accounting Service, Columbus, Ohio, performs the\nhelp desk, security, and database administration for the application.\n\n\n\xe2\x88\x97\n    The information technology solution is an automated approach to capitalize military equipment using\n    asset transactional data from the receipt, acceptance, and payment systems.\n\x0cResults. Our audit determined that management had implemented some controls over\nentity-wide security program planning and management (finding A), access controls\n(finding B), application software development and change controls (finding C), system\nsoftware (finding D), and segregation of duties (finding E). However, we identified\ninternal control weaknesses that affect processing and reporting military equipment\nfinancial data. The weaknesses found were related to entity-wide security program\nplanning and management (finding A), access controls (finding B), application software\ndevelopment and change controls (finding C), system software (finding D), segregation\nof duties (finding E), and service continuity (finding F). The deficient controls created\nsystem vulnerabilities that potentially jeopardize the integrity, confidentiality, and\navailability of data reported by the Capital Asset Management System-Military\nEquipment. The Under Secretary of Defense for Acquisition, Technology, and\nLogistics/Acquisition Resources and Analysis and the Director, Defense Information\nSystems Agency must address these vulnerabilities as required by Federal and DoD\ncriteria outlined in the report. See the finding sections of the report for detailed\nrecommendations.\n\nManagement Comments and Audit Response. The Director, Acquisition Resources\nand Analysis provided comments for the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics/Acquisition Resources and Analysis. The Director,\nAcquisition Resources and Analysis comments were partially responsive, including one\nnonconcur and one partially concur. The Director, Defense Information Systems Agency\nprovided comments that were fully responsive. Based on new DoD guidance and\ncomments received from the Director, Acquisition Resources and Analysis, we deleted\nthe recommendation on documenting system firmware. We take exception with the\nDirector, Acquisition Resources and Analysis comments that the controls in place over\nterminating separated users\xe2\x80\x99 accounts comply with guidance or have effectively\ncontrolled separated users\xe2\x80\x99 accounts. We recommend holding the DoD Components\nresponsible for their users\xe2\x80\x99 accounts or providing an alternative control for separated\nusers\xe2\x80\x99 accounts. The Director, Acquisition Resources and Analysis plans to rely on\nDefense Information Systems Agency procedures to restore CAMS-ME to normal\noperations following a contingency. We recommend documenting or referencing those\nprocedures in the CAMS-ME contingency plan. We request that the Under Secretary of\nDefense for Acquisition, Technology, and Logistics/Acquisition Resources and Analysis\nprovide comments on this report by June 13, 2008. See the Finding section of the report\nfor a discussion of management comments and the Management Comments section of the\nreport for the complete text of the comments.\n\nManagement Actions. We have worked closely with the Under Secretary of Defense\nfor Acquisition, Technology, and Logistics/Acquisition Resources and Analysis and the\nDirector, Defense Information Systems Agency, and they have taken prompt action by\nimplementing some recommendations prior to the issuance of this report.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                   i\n\nBackground                                                          1\n\nObjectives                                                          2\n\nReview of Internal Controls                                         3\n\nFindings\n     A.   Entity-Wide Security Program Planning and Management      4\n     B.   Access Controls                                           8\n     C.   Application Software Development and Change Control      12\n     D.   System Software                                          15\n     E.   Segregation of Duties                                    19\n     F.   Service Continuity                                       22\n\nAppendixes\n     A. Scope and Methodology                                      27\n         Prior Coverage                                            29\n     B. Report Distribution                                        30\n\n\nManagement Comments\n     Under Secretary of Defense for Acquisition, Technology, and\n        Logistics/Acquisition Resources and Analysis               33\n     Defense Information Systems Agency                            38\n\x0c\x0cBackground\n    The Chief Financial Officers Act of 1990 (Public Law 101-576), as amended,\n    mandates the preparation and audit of financial statements for certain agencies.\n    In accordance with the Chief Financial Officers Act and generally accepted\n    accounting principles, DoD is required to capitalize and depreciate the full cost of\n    existing and future acquisitions of military equipment, including modifications\n    and improvements, and report this information in the DoD quarterly and annual\n    financial statements. DoD implemented Capital Asset Management\n    System-Military Equipment (CAMS-ME) to record and value military equipment.\n    To support the DoD goal of achieving auditability of financial statements, we\n    conducted an audit of the general controls over CAMS-ME. General controls\n    over systems are necessary to ensure the integrity, availability, and confidentiality\n    of data processed by those systems.\n\n    Capital Asset Management System-Military Equipment. CAMS-ME is the\n    information technology system being implemented to maintain and update\n    military equipment valuation data. It is a DoD information system that is built\n    upon the Systems Applications and Products in Data Processing (SAP) software.\n    CAMS-ME is a mid-term information technology solution that supports the DoD\n    enterprise transition plan. Military equipment accounts for approximately\n    three-fourths of General Property, Plant, and Equipment, the line item with the\n    greatest dollar amounts on the DoD balance sheet.\n\n    The Under Secretary of Defense for Acquisition, Technology, and\n    Logistics/Acquisition Resources and Analysis, Property and Equipment (P&E)\n    Policy Office (Policy Office) deployed CAMS-ME in two increments. The first\n    increment was deployed in June 2006 and the second increment was deployed on\n    January 31, 2008. Increment 1 includes an interface with the Business Enterprise\n    Information Services to collect expenditure data. Component representatives also\n    use the CAMS-ME Web-based interface to update the status of military\n    equipment assets. Therefore, Increment 1 provides the ability to calculate\n    military equipment value using the average cost methodology. The average cost\n    methodology values assets by calculating average costs from program budgetary\n    data.\n\n    The P&E Policy Office designed Increment 2 to value military equipment based\n    on the contract cost methodology. The contract cost methodology values assets\n    by acquisition costs, derived from a contract, and the cost of embedded\n    Government furnished material. Both valuation methodologies reside in\n    CAMS-ME. Programs with new contract actions are to be valued using the\n    contract cost methodology with Increment 2 deployment.\n\n    CAMS-ME is supported by the P&E Policy Office in Arlington, Virginia; the\n    Space and Naval Warfare System Center (SSC) in San Diego, California; the\n    Defense Information Systems Agency (DISA) in Ogden, Utah; and the Defense\n    Finance and Accounting Service DFAS in Columbus, Ohio. The Army, Navy,\n    Air Force, Marine Corps, and Other Defense Agencies use CAMS-ME to process\n    and report military equipment financial data.\n\n\n\n                                          1\n\x0c    Under Secretary of Defense for Acquisition, Technology and\n    Logistics/Acquisition Resources and Analysis. The Under Secretary of Defense\n    for Acquisition, Technology, and Logistics and the Under Secretary of\n    Defense (Comptroller) established the P&E Policy Office in December 2000 to\n    ensure a consistent military equipment valuation methodology. The P&E Policy\n    Office is the program sponsor for CAMS-ME and is responsible for\n    administrative configuration management. These responsibilities include\n    assigning a representative to Chair and be a Voting Member of the configuration\n    control board, ensuring the implementation of approved changes, and\n    coordinating and scheduling all releases.\n\n    Space and Naval Warfare Systems Center-San Diego. SSC San Diego is the\n    program management office responsible for the technical configuration of the\n    SAP application before production. These technical configuration management\n    responsibilities include creating configuration items, customizing development\n    changes, communicating transport requests to P&E Policy Office and\n    DFAS Columbus, and participating in the functional configuration audits.\n    SSC San Diego also provides help desk support for CAMS-ME.\n\n    Defense Information Systems Agency-Ogden. DISA Ogden is responsible for\n    coordinating, scheduling, and managing all hardware, operating systems,\n    networks, and non-SAP software environments with input from CAMS-ME\n    project personnel. The information processing services conducted by\n    DISA Ogden include operating and maintaining the processing site, computer\n    hardware, communications hardware, suite of operating system and software, data\n    backup and tape management, and assisting in problem resolution.\n\n    Defense Finance and Accounting Service-Columbus. DFAS Columbus is\n    responsible for the configuration management of the SAP application once it has\n    been developed and tested. This includes managing the promotion of software\n    configuration and custom development from initial development to quality\n    assurance to production. In addition, DFAS Columbus manages configuration\n    items for configuration management control and reporting, coordinates with the\n    SSC San Diego Development Team to execute the SAP Transport Management\n    System Instructions, and manages all application and database maintenance and\n    upgrades. The CAMS-ME Help Desk is also located at DFAS Columbus and\n    assists CAMS-ME users with resetting passwords, answering questions, or\n    resolving any technical difficulties they may encounter. Other responsibilities\n    include testing, training, security, and Web-site development.\n\n\nObjectives\n    The overall objective was to assess the integrity, availability, and confidentiality\n    of data processed by CAMS-ME. Specifically, we determined whether the\n    computer and computer-related controls over CAMS-ME were adequate. The\n    general control testing included examining the entity-wide security program\n    planning and management, access controls, application software development and\n    change control, system software, segregation of duties, and service continuity.\n    See Appendix A for a discussion of the scope and methodology.\n\n\n\n                                         2\n\x0cReview of Internal Controls\n     We identified material internal control weaknesses for the P&E Policy Office and\n     DISA as defined by DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC)\n     Program Procedures,\xe2\x80\x9d January 4, 2006. The P&E Policy Office did not have\n     CAMS-ME general controls in place to:\n\n            \xe2\x80\xa2   ensure that the CAMS-ME system security authorization agreement\n                was properly documented,\n\n            \xe2\x80\xa2   properly handle a separated user\xe2\x80\x99s account,\n\n            \xe2\x80\xa2   establish adequate password parameters for CAMS-ME,\n\n            \xe2\x80\xa2   monitor or investigate unauthorized access attempts,\n\n            \xe2\x80\xa2   adequately document testing of emergency configuration changes,\n\n            \xe2\x80\xa2   segregate incompatible duties,\n\n            \xe2\x80\xa2   prioritize computerized operations, and\n\n            \xe2\x80\xa2   develop and document a comprehensive contingency plan.\n\n     DISA Ogden did not implement controls over physical software libraries, monitor\n     access to and use of system software, implement system software change controls,\n     and document a comprehensive contingency plan. Implementing\n     Recommendations A., B.1, B.2, C., D.1, D.2, E.1, E.2, F.1, and F.2 will improve\n     the general controls over CAMS-ME. We will provide a copy of the final report\n     to the senior official responsible for internal controls in the P&E Policy Office\n     and DISA Ogden.\n\n\n\n\n                                         3\n\x0c                   A. Entity-Wide Security Program\n                      Planning and Management\n                   The P&E Policy Office implemented many security program planning and\n                   management controls. Specifically, management adequately:\n\n                            \xe2\x80\xa2   performed risk assessments in accordance with DoD policy,\n\n                            \xe2\x80\xa2   established an information system security management\n                                structure,\n\n                            \xe2\x80\xa2   implemented a security-related personnel procedure,\n\n                            \xe2\x80\xa2   monitored the effectiveness of the security program, and\n\n                            \xe2\x80\xa2   documented and implemented security planning and\n                                management controls over CAMS-ME.\n\n                   However, the P&E Policy Office did not include an incident response plan\n                   and a description of system firmware 1 in the CAMS-ME system security\n                   authorization agreement (SSAA). The P&E Policy Office did not include\n                   these items because they did not follow Federal and DoD policy for\n                   preparing security plans. As a result, there is an increased risk of a system\n                   outage and access to, changes to, and deletion of data by unauthorized\n                   users.\n\n\nSecurity Planning and Management Controls\n           A program for security planning and management is the foundation of an entity\xe2\x80\x99s\n           security control structure. The program should establish a framework and\n           continuing cycle of activity for assessing risk and for developing, implementing,\n           and monitoring effective security procedures. The P&E Policy Office, DISA\n           Ogden, and DFAS Columbus were responsible for security planning and\n           management controls.\n\n\nPeriodic Risk Assessments\n           The P&E Policy Office, DISA Ogden, and DFAS Columbus adequately\n           performed risk assessments for CAMS-ME and the DISA Ogden non-classified\n           internet protocol router network. The P&E Policy Office and DISA Ogden\n           performed and documented required certification and accreditation testing.\n           Management accepted risks and developed plans of action and milestones for the\n           weaknesses identified in the risk assessments. These controls help to ensure that\n           all threats and vulnerabilities are identified and considered according to the level\n           of risk in establishing security controls.\n1\n    Firmware is programming that is stored permanently in a hardware device allowing reading and executing\n    of the software.\n\n                                                     4\n\x0cSecurity Management Structure\n    The P&E Policy Office, SSC San Diego, DISA Ogden, and DFAS Columbus\n    adequately established an information system security management structure.\n    Management had an organizational chart for CAMS-ME that identified personnel\n    and their titles. In addition, management documented job descriptions and\n    appointment letters for security personnel. The P&E Policy Office,\n    SSC San Diego, DISA Ogden, and DFAS Columbus implemented an ongoing\n    security awareness program and employees were aware of security policies.\n    These controls assist in employee awareness of the system and application rules,\n    personnel\xe2\x80\x99s responsibilities, and their expected behavior.\n\n\nSecurity-Related Personnel Procedures\n    The P&E Policy Office, SSC San Diego, DISA Ogden, and DFAS Columbus\n    implemented effective security-related personnel procedures. They performed\n    background investigations for new hires and reinvestigations within the proper\n    time frame for current employees. DISA Computing Services required Single\n    Scope Background Investigations for all privileged users. Management provided\n    appropriate security training and monitored training records. These controls\n    reduce the risk of hiring unqualified or untrustworthy individuals, providing\n    terminated employees opportunities to impair entity operations or assets, failing\n    to detect unauthorized employee actions, lowering employee morale, and\n    allowing staff expertise to decline.\n\n\nInformation Systems Security Program\n    The P&E Policy Office and DISA Ogden adequately monitored the effectiveness\n    of the security program. Management identified vulnerabilities that occurred\n    within the past 3 years. The Information Assurance Officer adequately notified\n    the designated approving authority when a significant vulnerability affected the\n    acceptable risk level for the system. In addition, management implemented\n    corrective actions. These controls are important to identifying areas of\n    noncompliance, reminding employees of their responsibilities, and demonstrating\n    management\xe2\x80\x99s commitment to the security plan.\n\n\nSystem Security Program Plan\n    The P&E Policy Office did not adequately document the CAMS-ME SSAA.\n    Management did not include an incident response plan and a description of\n    system firmware. Office of Management and Budget Circular A-130, Appendix\n    III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d and DoD\n    Directive 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification and\n    Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d July 31, 2000, require\n    organizations to include an incident response plan and procedures in Appendix K\n    of the SSAA. In addition, DITSCAP requires that the system architecture include\n\n                                        5\n\x0c    a detailed explanation of the system firmware. The P&E Policy Office did not\n    include an incident response plan and description of system firmware because\n    management did not follow Office of Management and Budget Circular A-130\n    and DITSCAP policy.\n\n    Incident Response Plan. The CAMS-ME SSAA included a Vulnerability\n    Assessment Program Charter, March 6, 1998, which established the CAMS-ME\n    management structure, assigned areas of responsibility, and outlined the\n    delegation of authority. However, the Vulnerability Assessment Program Charter\n    was outdated and did not detail an incident response plan for security events. As\n    a result, there is an increased risk that a security event could occur and will not be\n    properly addressed and corrected. Management has taken action by developing\n    their draft \xe2\x80\x9cCapital Asset Management for Military Equipment, Incident Response\n    Reporting Plan for CAMS-ME,\xe2\x80\x9d September 28, 2007. To further mitigate this\n    risk, the P&E Policy Office should finalize the draft incident response plan and\n    include it in the SSAA to ensure that procedures are clear, allowing security\n    controls to be consistently applied.\n\n    Description of Firmware. The CAMS-ME SSAA System Architecture\n    Description identified and described the system hardware, software, interfaces,\n    data flows, and accreditation boundary. However, the SSAA System Architecture\n    Description did not include a description of system firmware. As a result, there is\n    an increased risk of compatibility issues.\n\n    We deleted the recommendation to include system firmware in the CAMS-ME\n    SSAA based on the issuance of new DoD guidance and comments from the Under\n    Secretary of Defense for Acquisition, Technology, and Logistics/Acquisition\n    Resources and Analysis. DoD Instruction 8510.01, \xe2\x80\x9cDefense Information\n    Assurance Certification and Accreditation Process,\xe2\x80\x9d November 28, 2007, replaced\n    DITSCAP. However, at the time of our audit, the CAMS-ME authority to operate\n    was granted under DITSCAP. The DoD Information Assurance Certification and\n    Accreditation Process does not specifically require the documentation of system\n    firmware. The National Institute of Standards and Technology Special\n    Publication 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology\n    Systems,\xe2\x80\x9d June 2002, suggests documenting all system resources including\n    firmware. The Director, Acquisition Resources and Analysis identified a brief\n    description of the storage area network in the CAMS-ME System Architecture\n    and Requirements Allocation Description. However, she did not include details\n    of the firmware. We do suggest the Under Secretary of Defense Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis document all\n    system resources, including firmware, for security and business continuity\n    purposes. See the Management Comments section of the report for the full text of\n    the comments.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    Deleted and Renumbered Recommendations. As a result of new DoD\n    guidance and management comments, we deleted recommendation A.2. Draft\n    Recommendation A.1. has been renumbered as Recommendation A.\n\n                                          6\n\x0cA. We recommend that the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics/Acquisition Resources and Analysis finalize the\ndraft \xe2\x80\x9cCapital Asset Management for Military Equipment, Incident\nResponse Reporting Plan for CAMS-ME,\xe2\x80\x9d September 28, 2007, and include\nit in the System Security Authorization Agreement to comply with Office of\nManagement and Budget Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d and DoD Directive 8510.1-M, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process\n(DITSCAP),\xe2\x80\x9d July 31, 2000.\n\nManagement Comments. The Director, Acquisition Resources and Analysis\nconcurred. The Director, Acquisition Resources and Analysis completed an\nincident response plan exercise on December 19, 2007, which included a review\nof the incident response plan. In addition, she included the incident response plan\nin the CAMS-ME certification and accreditation package, which was provided to\nthe designated approving authority as required by DoD Instruction 8510.01,\n\xe2\x80\x9cDoD Information Assurance Certification and Accreditation Process,\xe2\x80\x9d\nNovember 28, 2007.\n\nAudit Response. The Director, Acquisition Resources and Analysis comments\nwere responsive and conform to requirements; no additional comments are\nneeded.\n\n\n\n\n                                     7\n\x0c            B. Access Controls\n            The P&E Policy Office effectively implemented several system access\n            controls. Specifically, management identified the CAMS-ME resource\n            and system criticality levels and established adequate physical controls to\n            protect system information. In addition, management developed adequate\n            access control procedures to obtain access to the system and handle\n            inactive accounts. However, the P&E Policy Office did not properly\n            manage account access for employees that had left Government service,\n            establish adequate password parameters for CAMS-ME, and monitor or\n            investigate unauthorized access attempts. The P&E Policy Office did not\n            establish adequate access controls because they did not properly create\n            and follow access control policies and procedures. As a result, there is an\n            increased risk of unauthorized access, modification, and deletion of\n            software and data in CAMS-ME.\n\n\nPhysical and Logical Access Controls\n     Physical and logical access controls should provide reasonable assurance that\n     organizations protect computer resources (data files, application programs, and\n     computer-related facilities and equipment) against unauthorized modification,\n     disclosure, loss, or impairment. Physical controls include activities such as\n     keeping computers in locked rooms to limit physical access. Logical controls\n     include preventative measures such as security software programs designed to\n     prevent or detect unauthorized access to sensitive files. The P&E Policy Office,\n     SSC San Diego, DISA Ogden, and DFAS Columbus were responsible for\n     CAMS-ME access controls.\n\n\nClassification of Information Resources\n     The P&E Policy Office appropriately identified the CAMS-ME resource and\n     system criticality levels as required by DITSCAP. Management identified\n     CAMS-ME as a sensitive but unclassified system. The P&E Policy Office also\n     established a mission assurance category III system criticality level.\n     Classification of information resources is important when defining the acceptable\n     risk for the system in meeting the mission responsibilities and defining the type\n     and sensitivity of data processed by the system. Management established access\n     controls based on the classifications identified.\n\n\nAuthorized Users\n     The P&E Policy Office implemented procedures for requesting access and\n     handling inactive user accounts. Management documented system access request\n     forms, assigned roles based on the system access request forms, and reviewed\n     accounts for inactivity. However, management did not properly manage system\n     account access for employees who had left Government service.\n\n                                         8\n\x0c     Since the inception of CAMS-ME, management did not properly deactivate\n     account access for both individuals that had left Government service.\n     Specifically, as of May 17, 2007, one of the individuals with CAMS-ME access\n     had retired from a Government position and returned as a contractor. This\n     individual retained all rights and privileges granted from his system access\n     request provided as a Government employee. The second individual retired from\n     the Government on February 3, 2007; however, the individual\xe2\x80\x99s account remained\n     active until March 21, 2007. National Institute of Standards and Technology\n     (NIST) Special Publication 800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d\n     chapter 10, October 1995, recommends that management terminate access to the\n     system in a timely manner (during out-processing procedures) and, in case of an\n     unfriendly termination, access should be removed at the same time (or just before)\n     the employee is notified of dismissal. Controls over account access were not\n     adequate because the P&E Policy Office did not establish procedures requiring\n     the Components to notify the help desk when employees left Government service\n     or no longer required access. As a result, there is an increased risk for separated\n     employees to access CAMS-ME, damage system operations, and alter data within\n     the system, which could lead to misstatements of military equipment information.\n     To mitigate these risks, the P&E Policy Office should establish clear procedures\n     in the memorandums of understanding for handling accounts of separated\n     employees to include transfer, promotion, retirement, and unfriendly termination.\n\n\nPhysical and Logical Controls\n     Management established adequate physical controls over the CAMS-ME\n     hardware. However, the P&E Policy Office did not establish adequate logical\n     controls. Specifically, management did not enable SAP password parameters to\n     define the period for passwords created for new accounts, established by the user,\n     and reset by the help desk.\n\n     DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d\n     February 6, 2003, requires management to enforce automatic expiration of\n     passwords by implementing system mechanisms. In addition, \xe2\x80\x9cCAMS-ME SAP\n     Password Profile Parameters Policy,\xe2\x80\x9d April 25, 2006, requires 17 SAP\n     parameters, including those identified above, to be set for CAMS-ME. The P&E\n     Policy Office did not set the password parameters because management did not\n     follow the CAMS-ME password policy. As a result, there is an increased risk that\n     an individual could gain unauthorized access to CAMS-ME and delete or modify\n     critical system programming and data. Management has taken action and\n     mitigated this risk by ensuring that all capable functions are enabled for\n     the 17 password parameters.\n\n\nMonitor Access and Investigate Security Violations\n     The P&E Policy Office performed a monthly review of the CAMS-ME activity\n     logs. However, management did not monitor or investigate suspicious activity,\n     such as unsuccessful access attempts. DoD Instruction 8500.2 requires the review\n     of audit logs from all available sources for indications of inappropriate or unusual\n     activities, and tools are available for the review of audit records and for report\n\n                                          9\n\x0c    generation. Audit logs are critical for providing information related to\n    unauthorized and suspicious activities. Controls over monitoring and\n    investigating suspicious activity were not adequate because the P&E Policy\n    Office did not establish procedures for reviewing available audit logs. As a\n    result, there is an increased risk that inappropriate access or activity would go\n    undetected. To mitigate this risk, management should develop procedures for\n    monitoring and investigating unsuccessful access attempts.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    B. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis:\n\n           1. Incorporate into the Memorandums of Agreement the requirement\n    for supervisors to notify the help desk when employees with access to the\n    Capital Asset Management System-Military Equipment separate from the\n    Component or no longer require access to ensure that the user accounts are\n    deactivated, in accordance with National Institute of Standards and\n    Technology Special Publication 800-12, \xe2\x80\x9cAn Introduction to Computer\n    Security,\xe2\x80\x9d October 1995.\n\n            Management Comments. The Director, Acquisition Resources and\n    Analysis partially concurred. The Director, Acquisition Resources and Analysis\n    identified the system access request form and account termination policy of\n    100 days as controls in place.\n\n            Audit Response. The Director, Acquisition Resources and Analysis\n    comments were partially responsive. Terminations of access of these two\n    separated employees were not controlled as recommended by the National\n    Institute of Standards and Technology. The system access request form only\n    places responsibility on the employee for alerting management of their departure.\n    In the two cases, this control did not ensure the timely termination of the\n    accounts. Separated user accounts pose a considerable risk to the system. We\n    recommend that the Under Secretary of Defense for Acquisition, Technology, and\n    Logistics/Acquisition Resources and Analysis enter an agreement with the users\xe2\x80\x99\n    employers\xe2\x80\x94the DoD Components\xe2\x80\x94to provide another layer of accountability for\n    users\xe2\x80\x99 accounts or to develop another control to effectively manage separated\n    users\xe2\x80\x99 accounts. We request that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis provide a\n    corrective action to control separated users\xe2\x80\x99 accounts and a completion date in her\n    comments on the final report.\n\n           2. Develop and implement a security policy that includes monitoring\n    and investigating suspicious activity, such as unsuccessful logon attempts as\n    required by DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\n    Implementation,\xe2\x80\x9d February 6, 2003.\n\n           Management Comments. The Director, Acquisition Resources and\n    Analysis concurred. The Director, Acquisition Resources and Analysis plans to\n\n                                         10\n\x0cupdate the existing security policy to include monitoring suspicious activity at the\noperating system and network layers by August 2008.\n\n       Audit Response. The Director, Acquisition Resources and Analysis\ncomments were responsive and conform to requirements; no additional comments\nare needed. In addition, we suggest the Under Secretary of Defense for\nAcquisition, Technology, and Logistics/Acquisition Resources and Analysis\ninclude monitoring the application layer when updating this policy.\n\n\n\n\n                                     11\n\x0c           C. Application Software Development\n               and Change Control\n           The P&E Policy Office documented a structured configuration\n           management plan, implemented controls over testing and approving new\n           and revised software, and implemented controls over migrating changes\n           from development to production. However, the P&E Policy Office did not\n           adequately document testing of emergency configuration changes, and\n           DISA Ogden did not implement controls over physical software libraries.\n           These application change control weaknesses occurred because the P&E\n           Policy Office did not follow emergency change procedures for\n           documenting testing of emergency configuration changes, and DISA\n           Ogden did not establish procedures for controlling physical software\n           libraries. As a result, there is an increased risk that software changes may\n           be implemented before evaluating test results and CAMS-ME software\n           may not be available for installing on or updating a CAMS-ME server.\n\n\nApplication Change Control\n    Application software supports a specific operation or business process.\n    Establishing controls over the modification of application software helps to\n    ensure that only authorized programs and modifications are implemented.\n    Organizations can accomplish this by instituting policies, procedures, and\n    techniques that help ensure all programs and program modifications are properly\n    authorized, tested, and approved, and ensure access to and distribution of\n    programs is carefully controlled. The P&E Policy Office, SSC San Diego, DISA\n    Ogden, and DFAS Columbus are responsible for configuration management.\n\n\nAuthorization of Processing Features and Program\n  Modifications\n    The P&E Policy Office, SSC San Diego, and DFAS Columbus documented and\n    implemented procedures for CAMS-ME configuration management\n    responsibilities. The procedures established requirements to involve the user\n    throughout the process, provided guidance to staff with varying levels of skill and\n    experience, and documented configuration management changes. The P&E\n    Policy Office consistently documented and approved system changes using\n    standard forms. In addition, they enforced policies prohibiting the use of public\n    domain and personal software. These controls reduce the risk of implementing of\n    unauthorized programs and modifications.\n\n\nTesting and Approval of all New and Revised Software\n    The P&E Policy Office implemented controls over testing and approving new and\n    revised software. Management provided sufficient documentation to support\n    testing and approval for 12 reviewed changes. However, management did not\n                                        12\n\x0c       provide documentation to support testing of emergency changes. The P&E Policy\n       Office \xe2\x80\x9cCapital Asset Management System-Military Equipment (CAMS-ME)\n       Configuration Control Board Procedures\xe2\x80\x9d states that the systems integrator should\n       work with the help desk to document emergency changes within 24 hours after\n       the change. Management did not properly document testing of emergency\n       changes because they did not follow configuration control board procedures. As\n       a result, there is an increased risk that errors or unauthorized modifications could\n       be implemented and have an impact on the reliability, confidentiality, and\n       availability of CAMS-ME data. To mitigate this risk, the P&E Policy Office\n       should enforce the configuration control board procedure that requires\n       documenting the tests of emergency changes.\n\n\nControls over Software Libraries\nThe P&E Policy Office had adequate controls over migrating changes from development\nto quality assurance and from quality assurance to production. Management used the\nSAP Transport Management System to ensure proper migration and tracking for\napplication changes. However, DISA Ogden did not implement controls over the\nCAMS-ME Windows\xc2\xae physical software library. A physical software library is a storage\nrepository for definitive authorized versions of all software. It provides assurance that\nthe official approved version of all software is available and provides a record of old\nprogram versions. Management did not maintain a log to record the check-in and\ncheck-out of software. National Institute of Standards and Technology Special\nPublication 800-53, \xe2\x80\x9cInformation Security,\xe2\x80\x9d February 2005, recommends implementing\ncontrols over the information system and media libraries, including the authorization of\ndelivery to and removal from the library. Controls over the CAMS-ME Windows\xc2\xae\nphysical software library were not adequate because management did not develop\nprocedures to control the Windows\xc2\xae physical software libraries. As a result, there is an\nincreased risk that CAMS-ME software would not be available for installing on or\nupdating a CAMS-ME server. DISA Ogden has taken action by developing standard\noperating procedures for Windows\xc2\xae physical software library controls that were effective\nAugust 1, 2007. The procedures include maintaining a spreadsheet of all current\nsoftware on hand and checked out and requires the check-out and check-in process\nthrough a librarian.\n\n\nRecommendations, Management Comments and Audit\n  Response\n       Renumbered Recommendation. Draft recommendation C.1. has been\n       renumbered to Recommendation C.\n\n       C. We recommend that the Under Secretary of Defense for Acquisition,\n       Technology, and Logistics/Acquisition Resources and Analysis properly\n       document testing of emergency configuration changes to comply with the\n       \xe2\x80\x9cCapital Asset Management System-Military Equipment (CAMS-ME)\n       Configuration Control Board Procedures.\xe2\x80\x9d\n\n       Management Comments. The Director, Acquisition Resources and Analysis\n       concurred. The Director, Acquisition Resources and Analysis stated that the\n\n                                           13\n\x0cexception noted in the finding occurred at the inception of the application and\npolicies and procedures have been in place to control emergency changes since\nMarch 2007.\n\nAudit Response. The Director, Acquisition Resources and Analysis comments\nwere responsive and conform to requirements; no additional comments are\nneeded.\n\n\n\n\n                                    14\n\x0c           D. System Software\n           The P&E Policy Office and DISA Ogden documented and effectively\n           implemented many required controls over access to CAMS-ME system\n           software. However, DISA Ogden did not effectively monitor access to,\n           use of, and control changes to system software. Management did not\n           monitor access to and use of system software and did not implement\n           system software change controls because they did not follow DISA\n           policies for system audit log review and vulnerability management, and\n           they did not have adequate procedures for tracking asset information. As\n           a result, there is an increased risk that unauthorized access to system\n           software could occur without being identified, vulnerabilities could be\n           exploited, and management could make decisions without complete\n           software and version information for CAMS-ME servers.\n\n\nSystem Software Controls\n    System software is a set of programs designed to operate and control the\n    processing activities of computer equipment. System software assists with\n    controlling and coordinating the input, processing, output, and data storage. The\n    CAMS-ME application is installed on Microsoft\xc2\xae Windows\xc2\xae Server 2003, and the\n    database is installed on servers with the UNIX operating system. DISA Ogden is\n    responsible for maintaining CAMS-ME system software and related access\n    controls. The P&E Policy Office is responsible for maintaining the database.\n\n\nAccess to System Software\n    DISA Ogden implemented controls to protect the integrity of CAMS-ME. These\n    controls included employing automated mechanisms to support managing user\n    accounts, disabling accounts after time requirements expired, and appropriate\n    auditing of user accounts. These controls help ensure that system software is\n    adequately protected and that security features are not bypassed.\n\n\nMonitor Access to and Use of System Software\n    DISA Ogden implemented controls, including system audit logs and an automated\n    tool to track changes to critical system files. However, DISA Ogden did not\n    implement controls to fully monitor access to and use of system software.\n    Specifically, management did not implement controls over reviews of system\n    audit logs and vulnerability management.\n\n    Audit Log Reviews. Management did not implement an independent review of\n    the system audit logs. The system administrator explained that he reviewed the\n    audit logs for anomalies. However, no one else performed reviews or analyzed\n    the logs. DISA Access Control STIG, \xe2\x80\x9cSecurity Technical Implementation\n    Guide,\xe2\x80\x9d Version 1, Release 1, June 2006, requires not only a review of system\n    audit logs, but also suggests, as a best practice, an independent review and\n\n                                       15\n\x0c        analysis of system audit logs. It further requires that a security manager,\n        information assurance manager, or other designated person review the audit logs\n        for trends and anomalies, which can serve as a preventive and detective control\n        against down-time and attacks on the system. In addition, DISA Interoffice\n        Memorandum, \xe2\x80\x9cAuditing Requirements,\xe2\x80\x9d May 7, 2007, provides guidance for\n        configuring system audit logs to focus limited resources on the most important\n        audit information while DoD pursues an enterprise solution to fully address\n        system audit requirements. The system audit logs were not independently\n        reviewed because management did not follow DoD guidance. Management also\n        stated there was too much data in the logs to review. As a result, there is an\n        increased risk that unauthorized system changes, including installation of\n        unauthorized software, addition of new users, and profile changes to current\n        users, could be made without being detected.\n\n        No recommendation is being made to address CAMS-ME Windows\xc2\xae system audit\n        logs because management was responsive to a recommendation made in DoD\n        Inspector General (IG) Report D-2006-086, \xe2\x80\x9cReport on the General and\n        Applications Controls at the Defense Information Systems Agency, Center for\n        Computing Services,\xe2\x80\x9d May 18, 2006. Recommendation C.2. of that report\n        recommended that the Chief, Field Security Operations develop and implement\n        consistent procedures across the entity to create, monitor and review, protect, and\n        maintain system audit trails to comply with the Security Technical\n        Implementation Guides to provide a standard set of auditing tools. The Chief,\n        Field Security Operations concurred and stated that an Enterprise Wide Solutions\n        Steering Group initiative, called the Tier III Security Incident Manager, was\n        established in 2007 to acquire an audit capability. The solution is a DoD-level\n        initiative, and DISA plans to leverage the Tier III Security Incident Manager\n        solution when it becomes available to DoD.\n\n        Vulnerability Management. Management did not address CAMS-ME server\n        vulnerabilities in a timely manner. DISA separates the vulnerabilities into one of\n        the following four categories based on severity.\n\n                 \xe2\x80\xa2    Category I. Any vulnerability that may provide an attacker immediate\n                      access into a machine, allow super-user access, or bypass a firewall.\n\n                 \xe2\x80\xa2    Category II. Any vulnerability that provides information that has a\n                      high potential of giving access to an unauthorized person or provides\n                      an unauthorized person the means to circumvent security controls.\n\n                 \xe2\x80\xa2    Category III. Any vulnerability that provides information that\n                      potentially could lead to unauthorized access.\n\n                 \xe2\x80\xa2    Category IV. Any other vulnerabilities that would potentially\n                      contribute to degraded security.\n\n        The Windows\xc2\xae servers contained 3 Category I and 68 Category II vulnerabilities 2\n        that remained open past the allowed time frame. The UNIX servers\n        contained 18 Category II vulnerabilities that remained open past the allowed time\n2\n  Category III and IV vulnerabilities were not analyzed because the time period in which action must be\ntaken, 180 and 1000 days respectively, was outside of the scope of our audit.\n\n\n                                                   16\n\x0c    frame. The DISA Information Assurance Vulnerability Alert Handbook,\n    February 2007, states information assurance vulnerability alerts must be mitigated\n    within a specified time frame or, in the case where it cannot be resolved, a plan of\n    action must be documented and approved. It further states that vulnerabilities\n    must be corrected, have a mitigation plan in place, or an updated plan of action\n    and milestones within 25 days for Category I or 60 days for Category II. The\n    vulnerabilities existed because management did not follow vulnerability\n    management policy. As a result, there is an increased risk of successful attacks\n    on the system which could impact the reliability, availability, and confidentiality\n    of CAMS-ME data. To mitigate this risk, management should immediately\n    address the identified Category I and II vulnerabilities and appropriately address\n    other identified vulnerabilities within the specified policy time frames.\n\n\nControl System Software Changes\n    DISA Ogden documented and implemented controls for system software changes,\n    including tracking problems with system software and alerting customers of\n    down-time required to perform system maintenance. However, DISA Ogden did\n    not record software and software version information in the Ogden Asset\n    Tracking System (OATS) in a timely manner. Specifically, Windows\xc2\xae system\n    administrators did not maintain current system software information in OATS for\n    all 19 of the CAMS-ME Windows\xc2\xae servers. Before we requested the CAMS-ME\n    system information in March 2007, system administrators had not updated system\n    software information since September 2006. The \xe2\x80\x9cDISA Computing Services\n    Operations Operational Change and Configuration Management Plan,\xe2\x80\x9d\n    March 21, 2006, requires quarterly census audits to compare and reconcile\n    property management and asset accounting records. According to the DISA\n    Systems Management Center Ogden Configuration Management Plan,\n    March 2006, system administrators are responsible for updating the information\n    in OATS. The system administrators did not update the CAMS-ME Windows\xc2\xae\n    software information in a timely manner because the DISA Systems Management\n    Center Ogden Configuration Management Plan did not establish a time frame for\n    updating system information in OATS. As a result, there is an increased risk that\n    management would not have complete and updated software and software version\n    information to make decisions regarding vulnerabilities, licensing,\n    interconnectivity, and recovery. To mitigate this risk, DISA Ogden should update\n    the Configuration Management Plan to include a requirement for updating the\n    OATS data quarterly, at minimum, for new versions of installed system software\n    and for conducting audits of the information for validity.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    D.1. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis address\n    Capital Asset Management System-Military Equipment database\n    vulnerabilities within the specified time frames to comply with DISA\n    Information Assurance Vulnerability Alert Handbook, February 2007.\n\n\n                                        17\n\x0cManagement Comments. The Director, Acquisition Resources and Analysis concurred.\nThe Director, Acquisition Resources and Analysis has documented an ongoing issue with\ndelayed critical patch updates with the Systems, Applications, and Products in Data\nProcessing implementation and will document a plan of action and milestones in the\nvulnerability management system.\n\nAudit Response. The Director, Acquisition Resources and Analysis comments were\nresponsive and conform to requirements; no additional comments are needed.\n\nD.2. We recommend that the Director, Defense Information Systems Agency:\n\n      a. Address Capital Asset Management System-Military Equipment\nWindows\xc2\xae server vulnerabilities within the specified time frames to comply with\nDISA Information Assurance Vulnerability Alert Handbook, February 2007.\n\n       b. Update the DISA Systems Management Center Ogden Configuration\nManagement Plan, March 2006, to include a requirement for updating the Ogden\nAsset Tracking System data at a minimum on a quarterly basis for new versions of\nsystem software installed. The Configuration Management Plan should also require\nperiodic audits of the information to comply with the \xe2\x80\x9cDISA Computing Services\nOperations Operational Change and Configuration Management Plan,\xe2\x80\x9d\nMarch 21, 2006.\n\nManagement Comments. The Defense Information Systems Agency concurred. The\nDirector, Defense Information Systems Agency Computing Services plans to develop a\nplan of action and milestones for all Windows and Unix category I and II vulnerabilities\nby May 5, 2008. In addition, the Director, Defense Information Systems Agency\nComputing Services has already taken action and provided the audit team with the\nupdated configuration management plan in November 2007.\n\nAudit Response. We commend the Director, Defense Information Systems Agency for\ntaking prompt corrective action. The Director, Defense Information Systems Agency\ncomments were responsive and conform to requirements; no additional comments are\nneeded.\n\n\n\n\n                                           18\n\x0c            E. Segregation of Duties\n            The P&E Policy Office documented procedures for personnel to follow in\n            performing their job functions and established access controls to separate\n            the development, testing, and production environments. However,\n            management did not properly segregate incompatible duties. Segregation\n            of incompatible duties was inadequate because the P&E Policy Office did\n            not follow DoD guidance. As a result, there is an increased risk of\n            unauthorized or erroneous posting of, changes to, or deletion of\n            transactions within CAMS-ME.\n\n\nSegregation of Duties Controls\n     Segregation of duties refers to the separation of work responsibilities to prevent\n     one employee from controlling all critical stages of a process. Segregation of\n     duties is a critical control that assures the separation of the functions of\n     authorizing, processing, recording, and reviewing transactions. Dividing duties\n     among two or more individuals or groups diminishes the likelihood that errors\n     and wrongful acts will go undetected because the activities of one individual or\n     group will serve as a check on the activities of the other. Segregation of duties\n     reviewed includes duties performed by the project team, development personnel,\n     and the help desk at the P&E Policy Office, SSC San Diego, and DFAS\n     Columbus.\n\n\nOperating Procedures\n     The P&E Policy Office effectively controlled personnel activity through the use\n     of operating procedures. In conjunction with SSC San Diego and DFAS\n     Columbus, the P&E Policy Office documented operating procedures for the\n     development, help desk, and security management personnel. Management also\n     reviewed and approved configuration and administration changes that effected the\n     operation of CAMS-ME. These procedures help prevent and detect unauthorized\n     personnel actions such as fraudulent transactions and improper implementation of\n     program changes.\n\n\nSegregate Incompatible Duties\n     The P&E Policy Office implemented access controls to segregate duties, such as\n     creating separate development, testing, and production environments. In addition,\n     management developed, assigned, and monitored CAMS-ME profiles to limit\n     user activity and provided project team, development, and help desk personnel\n     with information necessary to understand their job functions. However, they did\n     not develop and implement controls to segregate all functions. Specifically,\n     management created help desk and generic data input user accounts that did not\n     allow for least privilege and separation of duties principles.\n\n\n\n                                         19\n\x0c    Help Desk User Accounts. Management assigned more profiles to help desk\n    user accounts than were necessary to perform their job functions. The profiles\n    provided them the ability to create, edit, and delete transactions within\n    CAMS-ME. According to the DFAS Columbus, "CAMS-ME Operations Support\n    Team Management Plan," the primary responsibilities of the help desk at DFAS\n    Columbus were to perform user administration and record transaction problems.\n    The transaction problems were to be resolved by personnel at the P&E Policy\n    Office, not the help desk. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\n    Implementation,\xe2\x80\x9d February 6, 2003, requires the Information Assurance Manager\n    to develop and implement a role-based access scheme that implements the\n    principles of least privilege and separation of functions. Management assigned\n    the help desk user accounts these profiles because they did not follow DoD policy\n    on segregation of duties and least privilege principles. As a result, there is an\n    increased risk of unauthorized entries, corrections, or deletions of transactions\n    within CAMS-ME. To mitigate this risk, management should review the help\n    desk user accounts to ensure that they have enough, but not excessive,\n    CAMS-ME profiles to perform their job functions.\n\n    Generic Data Entry User Accounts. The P&E Policy Office developed generic\n    user accounts that did not provide for segregation of duties. Management\n    developed three data conversion accounts to enter military equipment data into\n    CAMS-ME at inception, and subsequently created four more of these accounts.\n    These seven accounts allowed a user to input or change data for any military\n    equipment program without a review for accuracy. The generic accounts were\n    used at the end of FY 2006, but management did not retain documentation of how\n    and why the accounts were used. DoD Financial Management Regulation,\n    volume 1, chapter 3, Key Accounting Requirement 7 states that organizations\n    must maintain a separation of duties for reviewing transactions. In addition, DoD\n    Instruction 8500.2 states access to DoD information systems processing sensitive\n    information requires presentation of an individual authenticator. The accounts\n    remained in the system because the P&E Policy Office did not follow DoD\n    guidance. As a result, there is an increased risk that one or more of these\n    accounts could be intentionally or unintentionally unlocked and unauthorized or\n    erroneous data could be entered into CAMS-ME. If there is no review of this\n    data, it will go undetected and will subsequently be reported on the DoD balance\n    sheet. To mitigate this risk, management should delete these accounts.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    E. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis:\n\n           1. Review help desk user accounts to ensure that they have the\n    appropriate profiles to perform their job functions to comply with DoD\n    Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6,\n    2003.\n\n           2. Delete the generic data conversion user accounts to limit the ability\n    of a user to intentionally or unintentionally enter erroneous data without an\n    audit trail or supervisory review in accordance with DoD Financial\n                                       20\n\x0cManagement Regulation, volume 1, chapter 3, Key Accounting\nRequirement 7 and DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\nImplementation,\xe2\x80\x9d February 6, 2003.\n\n       Management Comments. The Director, Acquisition Resources and\nAnalysis concurred. The Director, Acquisition Resources and Analysis has\ncompleted a review of the help desk user accounts and identified mitigating\ncontrols to ensure that assets are protected. In addition, the Director, Acquisition\nResources and Analysis deleted the generic data entry accounts in\nNovember 2007.\n\n       Audit Response. We commend the Director, Acquisition Resources and\nAnalysis for taking prompt action in resolving these recommendations. The\nDirector, Acquisition Resources and Analysis comments were responsive and\nconform to requirements; no additional comments are needed.\n\n\n\n\n                                     21\n\x0c            F. Service Continuity\n            DISA Ogden established adequate environmental controls. However, the\n            P&E Policy Office and DISA Ogden did not adequately design service\n            continuity controls to operate effectively. Specifically, management did\n            not prioritize computerized operations and develop and document a\n            comprehensive contingency plan. The P&E Policy Office and DISA\n            Ogden did not design adequate service continuity controls because they\n            did not establish or follow service continuity policies and procedures. As\n            a result, there is an increased risk of delay in the restoration of critical\n            operations and loss of data in an emergency.\n\n\nService Continuity Controls\n     Service continuity is synonymous with a disaster recovery plan. A loss of the\n     capability to process, retrieve, and protect electronically maintained information\n     can significantly affect an agency\xe2\x80\x99s ability to accomplish its mission. Because of\n     this risk, organizations should implement service continuity controls to ensure\n     that when unexpected events occur, critical operations continue without\n     interruption or are promptly resumed, and critical and sensitive data are protected.\n     Controls to ensure service continuity should address the entire range of potential\n     disruptions, which may include relatively minor interruption, such as temporary\n     power failures, as well as major disasters. The P&E Policy Office developed their\n     \xe2\x80\x9cCAMS-ME 1.1 COOP [Continuity of Operations Plan] Executive Summary of\n     Planning Activities,\xe2\x80\x9d June 19, 2006, and DISA Ogden developed their \xe2\x80\x9cBusiness\n     Continuity Plan for Systems Management Center Ogden,\xe2\x80\x9d May 2005, as guides in\n     the event of a contingency.\n\n\nPrevent and Minimize Damage and Interruption\n     DISA Ogden established adequate environmental controls over the CAMS-ME\n     hardware to prevent and minimize damage and interruption. Management\n     implemented controls including inspections of the fire extinguishers; fire, smoke,\n     and water detection systems; and uninterruptible power supply. The DISA Ogden\n     facility was constructed in compliance with earthquake specifications and the\n     server lab was temperature controlled. These controls help prevent minor\n     problems from becoming costly disasters.\n\n\n\n\n                                         22\n\x0cPrioritize Computer Operations and Supporting Resources\n    The P&E Policy Office appropriately established the CAMS-ME resource and\n    system criticality levels. However, they did not establish service continuity\n    controls based on the assessment of the criticality and sensitivity of computerized\n    operations. Specifically, management did not:\n\n           \xe2\x80\xa2   identify resources supporting critical data and operations,\n\n           \xe2\x80\xa2   establish emergency data processing procedures, and\n\n           \xe2\x80\xa2   establish system recovery and reconstitution procedures.\n\n    The P&E Policy Office did not establish service continuity controls based on the\n    assessment of the criticality and sensitivity of computerized operations because\n    management did not fully develop or follow service continuity policies and\n    procedures.\n\n    Resources Supporting Critical Data and Operations. The P&E Policy Office\n    did not adequately identify resources supporting critical data and operations. The\n    \xe2\x80\x9cCAMS-ME 1.1 COOP Executive Summary of Planning Activities\xe2\x80\x9d did not\n    identify supporting resources on its list of \xe2\x80\x9cdecisions and details to be\n    completed.\xe2\x80\x9d In addition, management did not ensure that the DISA Ogden\n    prioritized restoration list included CAMS-ME. DoD Directive 3020.26,\n    \xe2\x80\x9cDefense Continuity Program (DCP),\xe2\x80\x9d January 1, 2007, states that contingency\n    plans should identify and prioritize organizational mission essential functions.\n    According to the DISA \xe2\x80\x9cBusiness Continuity Plan for Systems Management\n    Center Ogden,\xe2\x80\x9d May 2005, the customer is responsible for ensuring that their\n    system is included on the prioritized restoration list.\n\n    Emergency Data Processing Procedures. The P&E Policy Office did not\n    document emergency processing procedures. Management planned to provide\n    Components with spreadsheets to collect data. However, they did not document\n    procedures for creating or completing the spreadsheets. Office of Management\n    and Budget Circular No. A-127, Revised, \xe2\x80\x9cFinancial Management Systems,\xe2\x80\x9d\n    July 23, 1993, states that agency financial management systems and processing\n    instructions must be clearly documented in hard copy or electronically.\n\n    System Recovery and Reconstitution Procedures. The P&E Policy Office did\n    not adequately develop and document procedures for system recovery and\n    reconstitution once a contingency is complete. Management did not adequately\n    document procedures for starting up CAMS-ME at an alternate location. Also,\n    management did not document or develop reconstitution procedures which\n    include restarting the system, reloading manually processed data, and cleaning the\n    alternate site once a contingency is complete. National Institute of Standards and\n    Technology Special Publication 800-34, \xe2\x80\x9cContingency Planning Guide for\n    Information Technology Systems,\xe2\x80\x9d June 2002, recommends developing a\n    recovery strategy and reconstitution procedures.\n\n    The P&E Policy Office did not establish service continuity controls based on the\n    assessment of the criticality and sensitivity of computerized operations. As a\n    result, there is an increased risk of delays in the restoration of data processing\n\n                                        23\n\x0c    leading to inaccurate or incomplete financial information. Management has taken\n    action by developing the \xe2\x80\x9cCapital Asset Management for Military Equipment,\n    Contingency Planning Tabletop Test Plan,\xe2\x80\x9d September 27, 2007, and the draft\n    \xe2\x80\x9cCapital Asset Management System for Military Equipment (CAMS-ME),\n    Continuity of Operations Plan (COOP),\xe2\x80\x9d September 26, 2007. However, the Test\n    Plan and draft CAMS-ME COOP did not address all findings. To further mitigate\n    this risk, management should finalize the draft CAMS-ME COOP, ensure that\n    CAMS-ME is included on the DISA Ogden prioritized restoration list, and\n    document emergency data processing and develop reconstitution procedures.\n\n\nDevelop and Document a Comprehensive Contingency Plan\n    The P&E Policy Office and DISA Ogden did not document a comprehensive\n    contingency plan for CAMS-ME. Specifically, the P&E Policy Office did not\n    develop a contingency plan for the CAMS-ME application and business\n    processes. DISA Ogden had a contingency plan for the facility and other\n    applications; however, it was not complete and up-to-date. DITSCAP and DoD\n    Directive 3020.26 provide guidance for documenting and updating a\n    comprehensive contingency plan. The P&E Policy Office and DISA Ogden did\n    not have comprehensive contingency plans because they did not follow service\n    continuity guidance.\n\n    CAMS-ME Contingency Plan. The CAMS-ME 1.1 COOP Executive Summary\n    of Planning Activities was not a comprehensive contingency plan. The P&E\n    Policy Office did not include the following, as recommended by National Institute\n    of Standards and Technology Special Publication 800-34:\n\n           \xe2\x80\xa2   a disaster recovery plan,\n\n           \xe2\x80\xa2   procedures for backup tapes,\n\n           \xe2\x80\xa2   results of scheduled exercises and drills, and\n\n           \xe2\x80\xa2   criteria on when the continuity of operations plan should be\n               implemented and who can make that decision.\n\n    DISA Ogden Contingency Plan. DISA Ogden developed and tested the\n    Business Continuity Plan. However, the DISA Ogden contingency plan did not\n    incorporate emergency procedures to follow in the event of a natural disaster. In\n    addition, the plan was not up-to-date and did not identify the current off-site\n    storage provider.\n\n    The P&E Policy Office and DISA Ogden did not document a comprehensive\n    contingency plan for CAMS-ME. As a result, there is an increased risk that\n    recovery of CAMS-ME processing would be delayed in the event of a\n    contingency. P&E Policy Office management has taken action by developing\n    their CAMS-ME COOP and CAMS-ME Contingency Planning Tabletop Test\n    Plan. To further mitigate this risk, DISA Ogden should update their Business\n    Continuity Plan to include the current off-site storage provider and emergency\n    procedures.\n\n\n                                           24\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    F.1. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics/Acquisition Resources and Analysis:\n\n           a. Provide the Defense Information Systems Agency Ogden the\n    necessary information to ensure that Capital Asset Management System-\n    Military Equipment is included in the prioritized restoration list according to\n    DoD Directive 3020.26, \xe2\x80\x9cDefense Continuity Program (DCP),\xe2\x80\x9d January 1,\n    2007.\n\n            Management Comments. The Director, Acquisition Resources and\n    Analysis concurred. The Director, Acquisition Resources and Analysis stated that\n    the Capital Asset Management System-Military Equipment was added to the\n    prioritized restoration list in September 2007.\n\n           Audit Response. The Director, Acquisition Resources and Analysis\n    comments were responsive and conform to requirements; no additional comments\n    are needed.\n\n           b. Document manual processing procedures.\n\n           Management Comments. The Director, Acquisition Resources and\n    Analysis concurred. The Director Acquisition Resources and Analysis tested the\n    contingency plan on September 27, 2007.\n\n           Audit Response. The Director, Acquisition Resources and Analysis\n    comments were responsive and conform to requirements; no additional comments\n    are needed.\n\n          c. Develop and document procedures to restore the original facility\n    and IT system to normal operating conditions once a contingency is over.\n\n             Management Comments. The Director, Acquisition Resources and\n    Analysis concurred. The Director, Acquisition Resources and Analysis refer the\n    ability to restore the original facility and IT system to normal operation conditions\n    to the Defense Information Systems Agency business continuity plan.\n\n           Audit Response. The Director, Acquisition Resources and Analysis\n    comments were partially responsive. The Director, Acquisition Resources and\n    Analysis identified the Defense Information Systems Agency Business Continuity\n    Plan for procedures on restoring the system to normal operating conditions once a\n    contingency is over. We request that the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics/Acquisition Resources and Analysis\n    document or at least reference the Defense Information Systems Agency\n    procedures within the CAMS-ME Continuity of Operations Plan and provide a\n    completion date in his comments on the final report.\n\n          d. Finalize the draft \xe2\x80\x9cCapital Asset Management System for Military\n    Equipment (CAMS-ME), Continuity of Operations Plan (COOP),\xe2\x80\x9d\n    September 26, 2007.\n\n                                         25\n\x0c       Management Comments. The Director, Acquisition Resources and\nAnalysis concurred. The Director, Acquisition Resources and Analysis finalized\nthe contingency plan following the table top exercise on September 27, 2007.\n\n       Audit Response. We commend the Director, Acquisition Resources and\nAnalysis for taking prompt corrective action. The Director, Acquisition\nResources and Analysis comments were responsive and conform to requirements;\nno additional comments are needed.\n\nF.2. We recommend that the Director, Defense Information Systems Agency\nupdate their contingency plan to:\n\n       a. Include emergency procedures to follow during a natural disaster.\n\n       b. Identify the current off-site storage provider.\n\n       Management Comments. The Defense Information Systems Agency\nconcurred. The Director, Defense Information Systems Agency Computing\nServices plans to include the local emergency procedures for natural disasters\nincluding earthquakes and the current off-site storage provider in the contingency\nplan by May 5, 2008, and April 30, 2008, respectively.\n\n       Audit Response. The Director, Defense Information Systems Agency\ncomments were responsive and conform to requirements; no additional comments\nare needed.\n\n\n\n\n                                    26\n\x0cAppendix A. Scope and Methodology\n We conducted this performance audit from January 2007 through February 2008\n in accordance with generally accepted government auditing standards. Those\n standards require that we plan and perform the audit to obtain sufficient,\n appropriate evidence to provide a reasonable basis for our findings and\n conclusions based on our audit objectives. We believe that the evidence obtained\n provides a reasonable basis for our findings and conclusions based on our audit\n objectives.\n\n        \xe2\x80\xa2   We interviewed personnel at the P&E Policy Office Arlington,\n            Virginia; SSC San Diego California; DISA Ogden, Utah; and DFAS\n            Columbus, Ohio.\n\n        \xe2\x80\xa2    We inspected documentation and observed activities supporting the\n            effectiveness of the general controls at the P&E Policy Office\n            Arlington, Virginia; SSC San Diego, California; DISA Ogden, Utah;\n            and DFAS Columbus, Ohio.\n\n        \xe2\x80\xa2   We reviewed and tested specific control activities in place at the P&E\n            Policy Office Arlington, Virginia; SSC San Diego, California; DISA\n            Ogden, Utah; and DFAS Columbus, Ohio.\n\n        \xe2\x80\xa2   We obtained and inspected system settings, access controls, and the\n            results of security readiness review assessments performed at the\n            SSC San Diego, California; DISA Ogden, Utah; and DFAS Columbus,\n            Ohio.\n\n We used the Government Accountability Office \xe2\x80\x9cFederal Information System\n Controls Audit Manual\xe2\x80\x9d to develop the audit guide and procedures performed\n during this audit. Based on the Federal Information System Controls Audit\n Manual, the audit was divided into six areas:\n\n        \xe2\x80\xa2   The entity-wide security program planning and management area is\n            the foundation on which all other general controls rely.\n\n        \xe2\x80\xa2   Physical and logical access controls reasonably protect the system and\n            data from unauthorized modification, loss, and disclosure.\n\n        \xe2\x80\xa2   Application change controls are defined as the establishment of\n            controls over the modification of application software programs to\n            ensure that only authorized system programs and modifications were\n            implemented.\n\n        \xe2\x80\xa2   System software includes programs that are designed to operate and\n            control the processing activities of computer equipment on which an\n            application resides.\n\n\n\n\n                                     27\n\x0c       \xe2\x80\xa2   Segregation of duties refers to the separation of work responsibilities\n           whereby one employee supporting the application does not control all\n           critical stages of a process.\n\n       \xe2\x80\xa2   Service continuity includes the protection of an activity\xe2\x80\x99s resources,\n           minimization of opportunities for service interruption, and planning\n           for service recovery.\n\nThe control objectives included within the scope of the audit were derived from\napplicable laws and regulations.\n\nThe scope of this audit focused on controls at the P&E Policy Office Arlington,\nVirginia; SSC San Diego, California; DISA Ogden, Utah; and DFAS Columbus,\nOhio, sites. The controls assessed in this audit included controls associated with\nthe security planning and management, access, application change, system\nsoftware, segregation of duties, and service continuity controls of CAMS-ME.\nBecause of the planned CAMS-ME Increment 2 Release, the Statement on\nAuditing Standards No. 70 Audit of the Defense Information Systems Agency,\nand availability of audit resources, we did not perform tests of the following:\n\n       \xe2\x80\xa2   Application controls,\n\n       \xe2\x80\xa2   System penetration, and\n\n       \xe2\x80\xa2   Segregation of duties controls over functional users.\n\nUse of Computer-Processed Data. We did not rely on computer-processed data\nto perform this audit. Rather, we assessed the general controls over\ncomputer-processed data.\n\nGovernment Accountability Office High-Risk Area. The Government\nAccountability Office has identified several high-risk areas in DoD. This report\nprovides coverage of the Protecting Federal Government\xe2\x80\x99s Information-Sharing\nMechanisms, DoD Approach to Business Transformation, and DoD Financial\nManagement high-risk areas.\n\n\n\n\n                                     28\n\x0cPrior Coverage\n     During the last 5 years, the Department of Defense Office of Inspector General\n     has issued two reports discussing the Defense Information Systems Agency\n     Controls over the Center for Computing Services. These reports are indirectly\n     related to CAMS-ME because they discuss controls that the Defense Information\n     Systems Agency has implemented. Unrestricted Department of Defense Office of\n     the Inspector General reports can be accessed over the Internet at\n     http://www.dodig.mil/.\n\nDoD IG\n     DoD IG Report No. D-2007-082, \xe2\x80\x9cDefense Information Systems Agency Controls\n     over the Center for Computing Services,\xe2\x80\x9d April 9, 2007\n\n     DoD IG Report D-2006-086, \xe2\x80\x9cReport on the General and Applications Controls at\n     the Defense Information Systems Agency, Center for Computing Services,\xe2\x80\x9d\n     May 18, 2006\n\n\n\n\n                                       29\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Acquisition Resources and Analysis\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Networks and Information Integration)/Chief\n   Information Officer\nDirector, Program Analysis and Evaluation (PA&E)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\n\nCombatant Commands\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nNational Security Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\n\n                                          30\n\x0cSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                      31\n\x0c\x0cUnder Secretary of Defense for Acquisition,\nTechnology, and Logistics/Acquisition Resources\nand Analysis Comments\n                                                  Final Report\n                                                   Reference\n\n\n\n\n                                                  Renumbered\n                                                  as\n                                                  Recommend\n                                                  ation A.\n\n\n\n\n                                                  Deleted\n\n\n\n\n                      33\n\x0c34\n\x0c     Final Report\n      Reference\n\n\n\n\n     Renumbered\n     as\n     Recommend\n     ation C.\n\n\n\n\n35\n\x0c36\n\x0c37\n\x0cDirector, Defense Information Systems Agency\n\n\n\n\n                      38\n\x0c39\n\x0c\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPatricia A. Marsh\nEdward A. Blair\nGregory M. Mennetti\nDwayne A. Coulson\nMichael B. Dell, Jr.\nDevon R. Houston\nKendall A. Miller\nDea M. Algeo\nTroy A. Robertson\nCelita M. Pomales\nAi T. Nguyen\nErin S. Hart\n\x0c\x0c'